Hackers have once again started using Bumblebee malware in their latest campaigns targeting victims worldwide, according to a report by cybersecurity experts at Proofpoint.
After a period of four months of inactivity, researchers spotted threat actors deploying this malware variant in new campaigns.
The researchers observed a campaign where several thousand emails were sent to various organisations in the United States. These emails were part of a phishing campaign aimed at convincing victims to download and run a Word file hosted in a OneDrive folder.
The Word file that was sent, which appeared to be from the Humane company developing a smart wearable device, was found to be malicious. It contained a harmful macro that downloaded and executed Bumblebee, a malicious loader that can further compromise the endpoint.
Although the campaign could not be attributed to a specific threat actor, Proofpoint suspects that it may be linked to the TA579 group.
Additionally, Proofpoint has recently observed two other groups, TA576 and TA866, that were inactive for months, and they may also be involved in this campaign.
It has been confirmed that Bumblebee can be used to deploy ransomware, although the identity of the perpetrator remains unknown.
The attack was carried out using a macro-themed method, which is an unconventional approach as Microsoft eliminated this tactic two years ago.
In 2022, Microsoft blocked macros in files downloaded from the internet by default, leading most threat actors to switch to alternative techniques. A new approach emerged, which involves the use of shortcut files instead of Word documents. One of the benefits of this method is the ability to alter the icon’s appearance, which the hackers exploited to deceive people into believing that they were running a .PDF file.